Image: thehayden.org

Image: thehayden.org

The Guardian reports that a security flaw in Chrome allows anyone with access to a computer to view all of the saved logins without requiring any form of authentication.

A serious flaw in the security of Google’s Chrome browser lets anyone with access to a user’s computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Besides personal accounts, sensitive company login details would be compromised if someone who used Chrome left their computer unattended with the screen active.

Passwords are accessed by clicking the menu icon (top-right), selecting Settings, clicking Show advanced settings at the bottom of the screen and then, in the Passwords and forms section, clicking Manage saved passwords. Passwords are initially obscured, but clicking the obscured password displays a Show button which then reveals the plain text password.

We’ve just tried it here, and it works. Bizarrely, Google’s Chrome developer team, Justin Schuh, is cited as saying Google is aware of the weakness but has no plans to fix it. Worldwide web inventor Tim Berners-Lee described Google’s response as “disappointing”, describing it in whimsical terms as “how to get all your big sister’s passwords.”

Although someone would need physical or remote access to the computer to do this, there are many shared computers in both home and work environments. Although it could be argued that access to the machine allows you to simply login to any of the stored sites directly, the difference here is that you’d be able to note a login and then use it later on a different machine.

Most browsers have a similar password-reveal function, but require a master password to be entered before passwords are displayed. In Safari on a Mac, logins are stored in Keychain, and your Mac password is required to reveal website passwords.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

13 Responses to “Security flaw in Chrome browser reveals plain-text passwords without authentication”

  1. djsparky2009 says:

    And no plans to fix it….good grief

  2. “google development team” can say whatever they want. They will be told to resolve the issue asap…

  3. This has been true since Chrome launched… kind of amusing that everyone is only freaking out about it now.

  4. Moises Agudo says:

    but, but, but, it’s an open architecture

  5. It’s okay. The NSA has all my passwords already.

  6. This has been around for years.
    And it’s great! Takes a while to find but its great for when you forget a password.

    I enjoy it!

    Just don’t give someone access to your computer if you dont trust them. And have a lock on your password.

    Lets stop being so anal with “security” and bring some common sense in ffs!

  7. teilo says:

    First of all, chrome on the Mac works exactly like Safari, because passwords are stored in the OS X keychain. Second, Firefox on all platforms works exactly like chrome on Windows. No password required. This is by design.

  8. Diji (@Diji) says:

    Firefox has this same “flaw”. Go to Preferences, Security, and click on Saved Passwords. In the dialog that appears, click “Show Passwords”. Is this really an issue? If someone has physical access to your computer, your passwords may not be your only worry.

  9. FireFox has the same problem and the “master password” option to protect this is NOT enabled by default.

  10. Joel Senders says:

    Everyone who is saying this isn’t a problem clearly does not administrate any kiosk machines or shared-use machines in a large environment.

    It is a major security problem.

  11. If someone has physical access to your pc, your passwords on chrome is not your biggest worry. I think the title of this article should be changed to: “Major security flaw in all computers – Users can choose not to password protect their computer”. THAT is what the problem is here, not chrome.